Skip to content
Latchkey

AWS CDK "is not authorized to perform sts:AssumeRole on cdk-...-deploy-role" in CI

Modern CDK deploys by assuming the bootstrap deploy/file-publishing roles (cdk-<qualifier>-deploy-role-...). The CI identity (an OIDC role or access key) is not trusted by those roles, so STS denies the assume call.

What this error means

cdk deploy fails with "current credentials could not be used to assume \"arn:aws:iam::...:role/cdk-hnb659fds-deploy-role-...\"" or an explicit "is not authorized to perform: sts:AssumeRole" from STS.

cdk
current credentials could not be used to assume
'arn:aws:iam::123456789012:role/cdk-hnb659fds-deploy-role-123456789012-us-east-1',
but are for the right account. Proceeding anyway.
... User: arn:aws:sts::123456789012:assumed-role/gha-deployer/... is not authorized
to perform: sts:AssumeRole on resource: ...cdk-hnb659fds-deploy-role...

Common causes

The deploy role trust policy excludes the CI principal

The bootstrap roles trust only a configured set of principals; your OIDC role ARN is not in the trust policy, so AssumeRole is denied.

The CI role lacks sts:AssumeRole permission

Even with trust set, the CI identity's own policy may not allow sts:AssumeRole on the cdk-* roles.

How to fix it

Trust the CI principal when bootstrapping

  1. Re-bootstrap with --trust pointing at the CI deployer role/account.
  2. Confirm the OIDC role ARN matches the trust policy on the cdk-* roles.
  3. Re-run the deploy so AssumeRole succeeds.
Terminal
cdk bootstrap aws://123456789012/us-east-1 \
  --trust arn:aws:iam::123456789012:role/gha-deployer \
  --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess

Grant the CI role assume permission

Allow the CI identity to assume the cdk-* roles in its own IAM policy.

iam-policy.json
{
  "Effect": "Allow",
  "Action": "sts:AssumeRole",
  "Resource": "arn:aws:iam::123456789012:role/cdk-*"
}

How to prevent it

  • Bootstrap with --trust for every CI deployer principal.
  • Use OIDC role ARNs consistently and keep trust policies in sync.
  • Re-bootstrap when the CI deployer role changes.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →